morton douglas markenrecht 3.jpglukas kalkbrenner markenrecht.jpg

The GDPR as a risk for the annual financial statements

The high level of fines imposed by the General Data Protection Regulation (GDPR) significantly exacerbates the economic risks for companies. The implementation of the GDPR requirements must also be taken into account by the auditor during the annual audit of a company.

Since the GDPR came into force, companies have been subject to a large number of new information, transparency and accountability obligations that are subject to fines. One yardstick for their implementation is the annual financial statement: inadequate implementation of the new data protection requirements has an impact on the annual audit. This is because, above a certain size, corporations are obliged to include a management report with their annual financial statements, from which the opportunities and risks of the future development of the company arise. Should the company show deficits in the implementation of the GDPR, this must be noted accordingly - as, for example, also with regard to antitrust, tax or corruption law issues.

In view of the significant risk potential of the GDPR, the issue of data protection must be made an integral part of the company's internal risk management system - not only in order to be prepared for any control by the state data protection authority, but also to avoid negative findings in the annual audit. It can be assumed that the auditors will follow the audit instructions of the Institut für Wirtschaftsprüfer (IDW) for audits in accordance with the GDPR and the Federal Data Protection Act (IDW PH 9.860.1), so that the issue will probably not be ignored in the area of auditing. If the auditor notes that the requirements of data protection law are not met in the company, this may result in provisions having to be formed with regard to the costs of implementation and possible fines. Data protection should be given high priority at management level.

Against this background, not only companies, but also the competent data protection authorities will look at the first annual financial statements under application of the GDPR.

1:1. This is how we work together. You decide upon a competent partner; he/she will then remain your point of contact. > more